Re: stateOrProvinceName field problem when signing CSR

Fri, 16 Dec 2011 03:32:53 -0800 

(Sorry, accidentally hit send, ignore previous mail)

On 12/15/2011 11:01 PM, Mick wrote:

Hi All,

I've generated a cakey.pem and cacert.pem on my PC.  Uploaded the cacert.pem
to my router and used its gui to generate a CSR.

When I try to sign this CSR file back on my PC I'm getting this error:
=====================================
$ openssl ca -config ./openssl_VPN.cnf -days 1095 -cert cacert_VPN.pem -keyfile
VPN_CA/private/cakey_VPN.pem -infiles certificate-router-request
Using configuration from ./openssl_VPN.cnf
Enter pass phrase for VPN_CA/private/cakey_VPN.pem:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (Buckinghamshire) and the request (Buckinghamshire)
=====================================

I don't understand why I get this error.  Both cacert and certificate-router-
request files contain exactly the same ST= field.  The cacert_VPN.pem shows:

         Issuer: C=GB, ST=Buckinghamshire, L= [snip ...]
         Subject: C=GB, ST=Buckinghamshire, L= [snip ...]

and the CSR shows:

         Subject: C=GB, ST=Buckinghamshire, L= [snip ...]

Try repeating those output commands with the option

-nameopt multiline,show_type

to determine if the two disagree on the character encoding,
spacing or other subtle aspect of the ST= part of the name.

If it turns out to be such a subtle difference, please report
it back to the list as a bug in the openssl code that handles
the "match" option, and as a workaround change the field to
"supplied" in the policy but manually inspect each CSR before
deciding to sign it (This would not work if the match is also
enforced by a path constraint in the CA cert).

If it turns out not to be such a subtle difference (or no
difference at all) please tell the list about it too.



Under the CA policy options in the configuration file I have:

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

but given that the entries are the same, I am not sure why I get this error.
Any suggestions?


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to